Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device. Updates are available.

Description

A vulnerability in the RSVP feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger an interface queue wedge on the affected device.

The vulnerability is due to improper parsing of UDP RSVP packets. An attacker could exploit this vulnerability by sending UDP RSVP packets to the vulnerable device. An exploit could cause Cisco IOS Software and Cisco IOS XE Software to incorrectly process incoming packets, resulting in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other DoS conditions.

Cisco has confirmed the vulnerability in a security advisory and has released software updates.

Warning Indicators

Cisco has published a list of affected Cisco IOS Software releases in the security advisory. The "Vendor Announcements" section of this alert contains a link to the advisory.

IntelliShield Analysis

To exploit this vulnerability, an attacker may require access to trusted, internal networks to send crafted requests to the affected software. This access requirement could limit the likelihood of a successful exploit.

Valid UDP RSVP traffic could trigger this vulnerability on affected devices. Recovery from the interface queue wedge requires a reload of the device.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

A Cisco IOS Embedded Event Manager (EEM) policy can be used to identify and detect an interface queue wedge that is caused by this vulnerability. The policy allows administrators to monitor the interfaces for Cisco IOS devices and detect when the interface input queues are full. The script is available for download at the following link: Cisco Beyond: Embedded Event Manager (EEM) Scripting Community

An unauthenticated, remote attacker could exploit this vulnerability to cause a DoS condition on a targeted device.

Technical Information

The vulnerability is due to improper parsing of UDP RSVP packets by Cisco IOS and Cisco IOS XE Software.

An unauthenticated, remote attacker with some knowledge of the affected infrastructure could exploit this vulnerability by sending UDP RSVP network packets with crafted conditions to a targeted device. When the malicious traffic is processed by the affected software, packets queued by a Cisco IOS router or switch are never removed from the queue, leading to an interface queue wedge. A successful exploit could allow the attacker to interrupt traffic processing on the device. Repeated exploitation could cause a sustained DoS condition.

Safeguards

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators may consider applying the global configuration command ip rsvp listener vrf vrf-nameip-address udp 1698 announce, where the IP address is one that does not exist on the device or in the routing tables. See the "Workarounds" section of the vendor advisory for more information.

Administrators may consider implementing Infrastructure Access Control Lists (iACL) and Unicast Reverse Path Forwarding (uRPF). See the "Workarounds" section of the vendor advisory for more information.

For more information about queue wedges and a few detection mechanisms that may be used to identify a blocked interface on Cisco IOS Software (including a white paper describing how this condition can be detected using SNMP), see Cisco IOS Queue Wedges Explained.

Understanding activity on the network provides information and visibility that can be used to identify potential security incidents. Organizations should log events from devices and review the logged data to provide insight into anomalies or malicious activity. For logging best practices, consult the Cisco Guide to Harden Cisco IOS Devices.

Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via email at tac@cisco.com

Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.

LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.